centos 6
tmpfile weakness #52

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

glibc-2.12-2-gc4ccff1/nptl/sem_open.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

       } sem;

      sem.newsem.value = value;
      sem.newsem.private = 0;
      sem.newsem.nwaiters = 0;

      /* Initialize the remaining bytes as well.  */
      memset ((char *) &sem.initsem + sizeof (struct new_sem), '\0',
	      sizeof (sem_t) - sizeof (struct new_sem));

      tmpfname = (char *) alloca (mountpoint.dirlen + 6 + 1);
      char *xxxxxx = __mempcpy (tmpfname, mountpoint.dir, mountpoint.dirlen);

      int retries = 0;
#define NRETRIES 50
      while (1)
	{
	  /* Add the suffix for mktemp.  */
	  strcpy (xxxxxx, "XXXXXX");

	  /* We really want to use mktemp here.  We cannot use mkstemp
	     since the file must be opened with a specific mode.  The
	     mode cannot later be set since then we cannot apply the
	     file create mask.  */
	  if (mktemp (tmpfname) == NULL)
	    return SEM_FAILED;

	  /* Open the file.  Make sure we do not overwrite anything.  */
	  fd = __libc_open (tmpfname, O_RDWR | O_CREAT | O_EXCL, mode);
	  if (fd == -1)
	    {
	      if (errno == EEXIST)
		{
		  if (++retries < NRETRIES)
		    continue;

		  __set_errno (EAGAIN);
		}

	      return SEM_FAILED;
	    }

	  /* We got a file.  */
	  break;
	}

      if (TEMP_FAILURE_RETRY (__libc_write (fd, &sem.initsem, sizeof (sem_t)))
	  == sizeof (sem_t)
	  /* Map the sem_t structure from the file.  */
	  && (result = (sem_t *) mmap (NULL, sizeof (sem_t), 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.